docs-auditor
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the
~/.claude/projects/directory inscripts/collect_transcripts.pyto retrieve session history for analysis. This directory contains sensitive logs of user interactions with the AI agent. - [COMMAND_EXECUTION]: The workflow defined in
SKILL.mdexecutes several local Python scripts and system commands, includingscripts/collect_transcripts.py,scripts/collect_docs.py, andscripts/generate_report.py. - [COMMAND_EXECUTION]: The
scripts/collect_docs.pyscript executes systemgitcommands (git log,git rev-list) viasubprocess.runto extract file history and freshness metadata. - [COMMAND_EXECUTION]: The
scripts/apply_recommendations.pyscript has the capability to modify Markdown files within the user's project to update or add documentation metadata (e.g., frontmatter fields). - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection (Category 8) because its sub-agents ingest and process untrusted content from session transcripts and documentation files.
- Ingestion points:
scripts/collect_transcripts.pyextracts raw user message text intotranscripts.json.scripts/collect_docs.pyextracts the full content of Markdown documentation intodoc-manifest.json. - Boundary markers: The analyst sub-agent prompts (e.g.,
agents/doc-impact-analyst.md) do not include instructions to ignore or delimit potentially malicious directives embedded within the analyzed content. - Capability inventory: The sub-agents' analysis results can influence report generation and the subsequent execution of
scripts/apply_recommendations.pyto modify project files. - Sanitization: There is no evidence of sanitization or escaping of the ingested transcript or document text before it is processed by the LLM sub-agents.
Audit Metadata